CVE-2025-26699
Published: 06 March 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-26699 is a denial-of-service vulnerability in the Django web framework, specifically affecting the django.utils.text.wrap() method and the wordwrap template filter when processing very long strings. The issue impacts Django versions 5.1 prior to 5.1.7, 5.0 prior to 5.0.13, and 4.2 prior to 4.2.20. It stems from CWE-770 (Allocation of Resources Without Limits or Throttling), with a CVSS v3.1 base score of 5.0 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L).
An attacker with low privileges, such as an authenticated user, can exploit this vulnerability over the network with low complexity and no user interaction required. By supplying very long strings to the affected functions, the attacker triggers excessive resource consumption, leading to a low-impact denial of service on the targeted Django application, particularly in a changed scope.
Django security advisories recommend upgrading to the patched versions: 5.1.7, 5.0.13, or 4.2.20. Official release notes and announcements detail the fix, available at docs.djangoproject.com/en/dev/releases/security/, groups.google.com/g/django-announce, and www.djangoproject.com/weblog/2025/mar/06/security-releases/, with additional notifications on oss-security and Debian LTS lists.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a resource exhaustion DoS triggered by supplying long strings to Django's wrap() method/template filter, directly enabling exploitation of an application vulnerability to cause unresponsiveness (T1499.004 Application or System Exploitation).